Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

executor, privilege: require CONFIG privilege for is.cluster_config #26071

Merged
merged 9 commits into from
Jul 12, 2021
Merged

executor, privilege: require CONFIG privilege for is.cluster_config #26071

merged 9 commits into from
Jul 12, 2021

Conversation

morgo
Copy link
Contributor

@morgo morgo commented Jul 8, 2021

What problem does this PR solve?

Issue Number: close #26062

Problem Summary:

The cluster_config table should require the CONFIG privilege. This is consistent with the behavior change in #25379 which requires CONFIG for SHOW CONFIG.

It makes sense to cherry pick to 5.1, but not 5.0; because the behavior in 5.0 was not established yet, and SHOW CONFIG still requires no privileges.

What is changed and how it works?

What's Changed:

Reading from the table information_schema.cluster_config now requires the CONFIG privilege.

Related changes

  • Need to cherry-pick to the release branch

Check List

Tests

  • Unit test

Side effects

  • Breaking backward compatibility (yes, but for security)

Release note

  • Reading from the table information_schema.cluster_config now requires the CONFIG privilege.

@ti-chi-bot ti-chi-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 8, 2021
morgo
morgo commented Jul 8, 2021
View reviewed changes
privilege/privileges/privileges_test.go
Comment on lines +1467 to +1468
Username: "uroot2",
Hostname: "localhost",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The username doesn't match the AuthUsername, which looks like a problem waiting to happen. I wrote this test but must have missed it :(

@morgo morgo requested review from tiancaiamao and bb7133 July 8, 2021 21:16
@github-actions github-actions bot added the sig/execution SIG execution label Jul 8, 2021
@ti-chi-bot ti-chi-bot added the status/LGT1 Indicates that a PR has LGTM 1. label Jul 9, 2021
@ti-chi-bot
Copy link
Member

[REVIEW NOTIFICATION]

This pull request has been approved by:

  • breeswish
  • djshow832

To complete the pull request process, please ask the reviewers in the list to review by filling /cc @reviewer in the comment.
After your PR has acquired the required number of LGTMs, you can assign this pull request to the committer in the list by filling /assign @committer in the comment to help you merge this pull request.

The full list of commands accepted by this bot can be found here.

Reviewer can indicate their review by submitting an approval review.
Reviewer can cancel approval by submitting a request changes review.

@ti-chi-bot ti-chi-bot added status/LGT2 Indicates that a PR has LGTM 2. and removed status/LGT1 Indicates that a PR has LGTM 1. labels Jul 10, 2021
@djshow832 djshow832 mentioned this pull request Jul 12, 2021
Closed
10 tasks
@djshow832
Copy link
Contributor

/merge

@ti-chi-bot
Copy link
Member

This pull request has been accepted and is ready to merge.

Commit hash: 8bda59f

@ti-chi-bot ti-chi-bot added the status/can-merge Indicates a PR has been approved by a committer. label Jul 12, 2021
@ti-chi-bot ti-chi-bot merged commit 13bad85 into pingcap:master Jul 12, 2021
ti-srebot pushed a commit to ti-srebot/tidb that referenced this pull request Jul 12, 2021
@morgo @ti-srebot
cherry pick pingcap#26071 to release-5.1
e17cbc6 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
@ti-srebot ti-srebot mentioned this pull request Jul 12, 2021
Merged
@ti-srebot
Copy link
Contributor

cherry pick to release-5.1 in PR #26150

ti-chi-bot pushed a commit that referenced this pull request Jul 16, 2021
@ti-srebot
executor, privilege: require CONFIG privilege for is.cluster_config (#…
4150216 
…26071) (#26150)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@breezewish breezewish breezewish approved these changes

@djshow832 djshow832 djshow832 approved these changes

@tiancaiamao tiancaiamao Awaiting requested review from tiancaiamao

@bb7133 bb7133 Awaiting requested review from bb7133

Assignees
No one assigned
Labels
needs-cherry-pick-release-5.1 sig/execution SIG execution sig/sql-infra SIG: SQL Infra size/M Denotes a PR that changes 30-99 lines, ignoring generated files. status/can-merge Indicates a PR has been approved by a committer. status/LGT2 Indicates that a PR has LGTM 2.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

account who only has USAGE privilege can see information_schema.CLUSTER_CONFIG
5 participants
@morgo @ti-chi-bot @djshow832 @ti-srebot @breezewish